Open c0c0n3 opened 4 years ago
step 0 secret, then if resource allows i would investigate citadel
I would go for the more docker/k8s solution. To make it easier to understand in the first run. If we face performance issues, we should have it in mind.
If my memory serves me well, K8s secret volumes get mounted on a tmpfs which is normally RAM- backed. So key look up should be darn fast...well, at least that's the theory, time will tell :-)
At the moment both pub and private keys sit in the adapter config. While it's okay for the pub key to be there, we should find a better home for the private key---think raising the bar for security. Figure out if Istio Citadel could help here or should we rather use K8s secrets/tmpfs volumes? Any other options?
The advantage of adapter config storage is access speed and caching. We should consider these two factors too when scratching around for a solution.